0

Vulnerability detected - textbox with bind but disabled - chrome debugger opens backdoor

asked 2023-02-15 01:20:12 +0800

holos gravatar image holos
41 6

Hi,

one of our creative tester found the following:

we have a textbox which is typically bound to a variable:

zul:

...
<textbox value="@bind(vm.input)" />
...

Sometimes we dynamically need to set this textbox to disable="true".

Java:

@Wire
private Textbox input;
...
input.setDisabled(true);

Now one can open the (Chrome) debugger and just remove the disabled from

<input id="o4hEy" class="z-textbox z-textbox-disabled" value="" type="text" disabled>

and voilà - the field takes input and the input is sent to the server.

I tried a lot to suppress the value send - but found no proper solution.

Please advise.

P.S.: Rendering a label instead or checking something on the setter side is no option as we do all of this stuff highly dynamically.

delete flag offensive retag edit

1 Answer

Sort by » oldest newest most voted
0
link publish delete flag offensive edit

Comments

Thanks, hawk.

This did the trick :-)

holos ( 2023-02-16 04:27:46 +0800 )edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2023-02-15 01:20:12 +0800

Seen: 9 times

Last updated: Feb 15 '23

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More